Accidental IT: Setting Up SSL Connections

Welcome to Accidental IT, a series of technical how-tos for people whose job descriptions don't necessarily include tech support but who often find themselves doing just that for their co-workers.

Data security is a main focus for many business data environments. The ability to remotely access business information can present opportunities for unauthorized access to information, data theft, or cyber attacks. Since firewalls are configured to allow authorized access both in and out of the corporate servers, attackers look for legitimate connections that can be tapped or duplicated. A relatively simple and effective tool for foiling these attempts is the Secure Socket Layer (SSL) connection.

SSL can be set up to protect a variety of connection types including FTP, e-mail, and HTTP. Establishing SSL security is effective for offices using Outlook Web Access (OWA) to connect remote users to Microsoft Exchange Server. This example setup can be applied to protect OWA sessions from prying eyes.

The Certificate

The basis for security is the determination that each participant in any connection between computers is, in fact who they claim to be, and authorized to participate in the connection. Independent organizations acting as Certificate Authorities (CA) carry out the process of validating owners of computers and issuing certificates. If your company already has a certificate in place for its domain you can create one for OWA.The Authority

If your company doesn't already have a relationship with a Certificate Authority you will need to create an account and apply for a certificate. Verisign and Thawt are well known certificate authorities, but there are others like InstantSSL and CACert that offer certificates at competitive rates or at no cost at all.

Applying a certificate to Exchange 2003/Windows Server 2003 or Exchange 2000/Server 2000 is done by starting a wizard that will walk you through the process. Start the wizard by going to Start/ All Programs/ Administrative Tools, then Internet Information Services (IIS) Manager. Find the Default Web Site and right click it, then select the Properties item. Select the Directory Security tab and then click the Server Certificate button.

When creating the certificate request, enter the name of your Web site in the wizard.Work through the wizard selecting "Create a certificate" and save the file in the final step. Select to have the certificate request sent to a Certificate Authority for validation (more on that next).

Once your certificate has been issued by the certificate authority it will either be sent to you by email or displayed on a Web page. Save the text of your certificate to a file on your computer with a .CER extension, then in the Default Web Site Properties / Directory Security page click on the Server Certificate button then on "Process the pending request." Select the .CER file containing the certificate, and complete the wizard process.

Select the secure communication option when applying the certificate.

Complete the processAfter your certificate is processed, SSL is active on your server. Clients (OWA) will be connected securely to your server, and all data traffic between your server and client will be encrypted.

You can apply SSL to other applications if your data requires protection. Your Web site is explicitly open to public view, so applying SSL to the site is unnecessary. However e-commerce sites and intranets are prime candidates for secure communication because of the sensitive financial and business information they convey.